Skip to content

API: add failure mode support for randombytes() #1331

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
L-series wants to merge 3 commits into
base: main
Choose a base branch
from
Open

API: add failure mode support for randombytes() #1331

L-series wants to merge 3 commits into from
+552 −123

Conversation

@L-series
Copy link
Contributor

@L-series L-series commented Dec 1, 2025

  • API: add failure mode support for randombytes()
  • autogen: run to update randombytes declaration
  • randombytes: add example to test failure

@L-series L-series requested a review from a team as a code owner December 1, 2025 22:01
@L-series L-series marked this pull request as draft December 1, 2025 23:04
@L-series L-series force-pushed the randombytes branch 3 times, most recently from 7733e4f to 6bbabfa Compare January 5, 2026 02:02
@L-series L-series marked this pull request as ready for review January 5, 2026 02:07
@hanno-becker
Copy link
Contributor

hanno-becker commented Jan 5, 2026

@L-series Do you need help debugging the CBMC and AWS-LC failures in CI, or are you fine investigating this?

@L-series L-series force-pushed the randombytes branch 4 times, most recently from e42d879 to 226364d Compare January 12, 2026 04:02
@L-series
Copy link
Contributor Author

L-series commented Jan 12, 2026

Hi @hanno-becker, the CBMC proofs are fixed and the integration should now be on par with mldsa, however im still seeing an issue with the aws-lc tests after writing a post_import.patch file. Please let me know if you have any idea why the tests re failing.

@hanno-becker hanno-becker self-assigned this Jan 12, 2026
@hanno-becker hanno-becker self-requested a review January 12, 2026 05:57
hanno-becker
hanno-becker reviewed Jan 12, 2026
View reviewed changes
hanno-becker
hanno-becker requested changes Jan 12, 2026
View reviewed changes
Copy link
Contributor

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The AWS-LC tests likely fail because RAND_bytes has a different error code convention.

@oqs-bot
Copy link
Contributor

oqs-bot commented Jan 18, 2026
edited
Loading

CBMC Results (ML-KEM-512)

Full Results (139 proofs)
Proof Status Current Previous Change
**TOTAL** 1102s 1128s -2.3%
mlk_indcpa_keypair_derand 194s 169s +15%
mlk_indcpa_enc 152s 167s -9%
mlk_keccak_squeezeblocks_x4 122s 124s -2%
mlk_rej_uniform_c 68s 84s -19%
mlk_polyvec_basemul_acc_montgomery_cached_c 40s 41s -2%
mlk_poly_rej_uniform 32s 36s -11%
poly_ntt_native 23s 27s -15%
polyvec_basemul_acc_montgomery_cached_native 21s 21s +0%
mlk_ntt_layer 20s 22s -9%
keccakf1600x4_permute_native_x4 19s 22s -14%
mlk_indcpa_dec 14s 10s +40%
mlk_poly_reduce_native 14s 12s +17%
mlk_keccak_absorb_once_x4 10s 9s +11%
mlk_poly_sub 10s 10s +0%
mlk_poly_frombytes_native 9s 7s +29%
mlk_ntt_butterfly_block 8s 10s -20%
mlk_poly_rej_uniform_x4 8s 8s +0%
mlk_polyvec_add 8s 10s -20%
mlk_keccak_squeezeblocks 7s 6s +17%
mlk_fqmul 6s 7s -14%
mlk_keccak_squeeze_once 6s 7s -14%
intt_native_aarch64 5s 3s +67%
mlk_keccak_absorb_once 5s 3s +67%
mlk_poly_frommsg 5s 6s -17%
mlk_poly_tobytes_native 5s 3s +67%
mlk_polyvec_compress_du 5s 3s +67%
mlk_scalar_decompress_d11 5s 3s +67%
mlk_scalar_decompress_d4 5s 2s +150%
mlk_sha3_256 5s 1s +400%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 4s 2s +100%
keccakf1600_permute_native 4s 6s -33%
kem_dec 4s 6s -33%
kem_keypair 4s 3s +33%
kem_keypair_derand 4s 3s +33%
mlk_ct_memcmp 4s 4s +0%
mlk_gen_matrix_serial 4s 3s +33%
mlk_invntt_layer 4s 3s +33%
mlk_keccakf1600_permute 4s 6s -33%
mlk_matvec_mul 4s 1s +300%
mlk_poly_compress_du 4s 3s +33%
mlk_poly_decompress_dv 4s 3s +33%
mlk_poly_frombytes_c 4s 4s +0%
mlk_poly_tomont_native 4s 1s +300%
mlk_polymat_permute_bitrev_to_custom 4s 3s +33%
mlk_polyvec_frombytes 4s 3s +33%
mlk_polyvec_permute_bitrev_to_custom_native 4s 4s +0%
mlk_sha3_512 4s 2s +100%
mlk_shake128_absorb_once 4s 2s +100%
mlk_shake256 4s 1s +300%
mlk_shake256x4 4s 3s +33%
keccak_f1600_x4_native_aarch64_v84a 3s 2s +50%
kem_check_pk 3s 2s +50%
kem_enc 3s 4s -25%
mlk_check_pct 3s 2s +50%
mlk_ct_cmask_neg_i16 3s 1s +200%
mlk_ct_cmask_nonzero_u8 3s 4s -25%
mlk_keccakf1600x4_extract_bytes 3s 2s +50%
mlk_keccakf1600x4_permute 3s 2s +50%
mlk_keccakf1600x4_xor_bytes 3s 2s +50%
mlk_montgomery_reduce 3s 3s +0%
mlk_poly_compress_dv 3s 2s +50%
mlk_poly_getnoise_eta1122_4x 3s 3s +0%
mlk_poly_getnoise_eta1_4x 3s 3s +0%
mlk_poly_getnoise_eta2 3s 2s +50%
mlk_poly_mulcache_compute_c 3s 2s +50%
mlk_poly_mulcache_compute_native 3s 3s +0%
mlk_poly_reduce 3s 2s +50%
mlk_polyvec_basemul_acc_montgomery_cached 3s 2s +50%
mlk_polyvec_decompress_du 3s 3s +0%
mlk_polyvec_mulcache_compute 3s 3s +0%
mlk_polyvec_permute_bitrev_to_custom 3s 4s -25%
mlk_scalar_compress_d10 3s 1s +200%
mlk_scalar_compress_d11 3s 3s +0%
mlk_scalar_decompress_d5 3s 3s +0%
mlk_scalar_signed_to_unsigned_q 3s 3s +0%
mlk_shake128x4_absorb_once 3s 3s +0%
mlk_shake128x4_squeezeblocks 3s 2s +50%
mlk_value_barrier_u32 3s 3s +0%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 3s 2s +50%
keccak_f1600_x1_native_aarch64_v84a 2s 2s +0%
kem_check_sk 2s 3s -33%
kem_enc_derand 2s 4s -50%
mlk_barrett_reduce 2s 2s +0%
mlk_ct_get_optblocker_i32 2s 3s -33%
mlk_ct_get_optblocker_u32 2s 2s +0%
mlk_ct_sel_int16 2s 2s +0%
mlk_gen_matrix 2s 4s -50%
mlk_keccakf1600_xor_bytes 2s 2s +0%
mlk_poly_add 2s 4s -50%
mlk_poly_cbd_eta1 2s 4s -50%
mlk_poly_decompress_du 2s 2s +0%
mlk_poly_frombytes 2s 2s +0%
mlk_poly_getnoise_eta1_4x_native 2s 3s -33%
mlk_poly_invntt_tomont 2s 3s -33%
mlk_poly_mulcache_compute 2s 4s -50%
mlk_poly_ntt_c 2s 3s -33%
mlk_poly_tobytes 2s 3s -33%
mlk_poly_tobytes_c 2s 1s +100%
mlk_poly_tomont 2s 1s +100%
mlk_poly_tomsg 2s 2s +0%
mlk_polyvec_invntt_tomont 2s 2s +0%
mlk_polyvec_ntt 2s 3s -33%
mlk_polyvec_reduce 2s 1s +100%
mlk_polyvec_tobytes 2s 4s -50%
mlk_polyvec_tomont 2s 4s -50%
mlk_rej_uniform 2s 2s +0%
mlk_scalar_compress_d1 2s 3s -33%
mlk_scalar_compress_d4 2s 3s -33%
mlk_shake128_squeezeblocks 2s 2s +0%
mlk_value_barrier_i32 2s 3s -33%
mlk_value_barrier_u8 2s 2s +0%
poly_invntt_tomont_native 2s 2s +0%
poly_mulcache_compute_native_aarch64 2s 4s -50%
poly_reduce_native_aarch64 2s 3s -33%
poly_tobytes_native_aarch64 2s 2s +0%
poly_tomont_native_aarch64 2s 2s +0%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 2s 2s +0%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 2s 3s -33%
rej_uniform_native_aarch64 2s 2s +0%
keccak_f1600_x1_native_aarch64 1s 2s -50%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 1s 1s +0%
mlk_ct_cmask_nonzero_u16 1s 4s -75%
mlk_ct_cmov_zero 1s 3s -67%
mlk_ct_get_optblocker_u8 1s 3s -67%
mlk_ct_sel_uint8 1s 2s -50%
mlk_keccakf1600_extract_bytes 1s 2s -50%
mlk_keccakf1600_extract_bytes (big endian) 1s 3s -67%
mlk_keccakf1600_xor_bytes (big endian) 1s 1s +0%
mlk_poly_cbd_eta2 1s 3s -67%
mlk_poly_invntt_tomont_c 1s 2s -50%
mlk_poly_ntt 1s 2s -50%
mlk_poly_reduce_c 1s 2s -50%
mlk_poly_tomont_c 1s 2s -50%
mlk_scalar_compress_d5 1s 3s -67%
mlk_scalar_decompress_d10 1s 3s -67%
ntt_native_aarch64 1s 5s -80%
poly_getnoise_eta1122_4x_native 1s 3s -67%
rej_uniform_native 1s 4s -75%
sys_check_capability 1s 1s +0%

@oqs-bot
Copy link
Contributor

oqs-bot commented Jan 18, 2026
edited
Loading

CBMC Results (ML-KEM-768)

⚠️ Attention Required

Proof Status Current Previous Change
mlk_poly_reduce_native ⚠️ 21s 14s +50%
Full Results (139 proofs)
Proof Status Current Previous Change
**TOTAL** 1549s 1464s +5.8%
mlk_indcpa_enc 253s 213s +19%
mlk_indcpa_keypair_derand 194s 368s -47%
mlk_keccak_squeezeblocks_x4 163s 127s +28%
mlk_rej_uniform_c 109s 73s +49%
mlk_polyvec_basemul_acc_montgomery_cached_c 108s 73s +48%
polyvec_basemul_acc_montgomery_cached_native 70s 56s +25%
poly_ntt_native 58s 44s +32%
mlk_poly_rej_uniform 47s 38s +24%
mlk_ntt_layer 35s 25s +40%
mlk_poly_reduce_native ⚠️ 21s 14s +50%
mlk_indcpa_dec 20s 17s +18%
keccakf1600x4_permute_native_x4 19s 20s -5%
mlk_keccak_absorb_once_x4 13s 10s +30%
mlk_poly_frombytes_native 12s 9s +33%
mlk_polyvec_add 12s 12s +0%
mlk_ntt_butterfly_block 10s 9s +11%
mlk_poly_rej_uniform_x4 10s 9s +11%
mlk_poly_sub 10s 9s +11%
mlk_fqmul 9s 6s +50%
mlk_keccak_squeezeblocks 9s 7s +29%
mlk_polymat_permute_bitrev_to_custom 9s 6s +50%
mlk_poly_frommsg 8s 6s +33%
keccakf1600_permute_native 7s 7s +0%
kem_dec 7s 4s +75%
mlk_invntt_layer 7s 5s +40%
mlk_keccak_absorb_once 7s 4s +75%
mlk_keccak_squeeze_once 6s 8s -25%
kem_check_pk 5s 3s +67%
kem_check_sk 5s 4s +25%
kem_keypair 5s 2s +150%
mlk_ct_cmask_nonzero_u8 5s 3s +67%
mlk_gen_matrix_serial 5s 4s +25%
mlk_poly_cbd_eta2 5s 3s +67%
mlk_poly_compress_du 5s 5s +0%
mlk_poly_decompress_du 5s 1s +400%
mlk_poly_getnoise_eta1_4x_native 5s 7s -29%
mlk_shake256x4 5s 2s +150%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 4s 3s +33%
kem_keypair_derand 4s 2s +100%
mlk_ct_cmov_zero 4s 2s +100%
mlk_ct_get_optblocker_i32 4s 3s +33%
mlk_gen_matrix 4s 5s -20%
mlk_keccakf1600_permute 4s 5s -20%
mlk_keccakf1600x4_extract_bytes 4s 4s +0%
mlk_poly_mulcache_compute 4s 1s +300%
mlk_poly_tomont_c 4s 2s +100%
mlk_polyvec_frombytes 4s 3s +33%
mlk_polyvec_permute_bitrev_to_custom 4s 5s -20%
mlk_polyvec_permute_bitrev_to_custom_native 4s 3s +33%
mlk_scalar_compress_d4 4s 3s +33%
mlk_scalar_decompress_d11 4s 2s +100%
mlk_scalar_decompress_d5 4s 2s +100%
mlk_shake256 4s 2s +100%
ntt_native_aarch64 4s 2s +100%
poly_reduce_native_aarch64 4s 4s +0%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 4s 2s +100%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 4s 2s +100%
rej_uniform_native_aarch64 4s 4s +0%
intt_native_aarch64 3s 2s +50%
kem_enc 3s 3s +0%
kem_enc_derand 3s 1s +200%
mlk_check_pct 3s 2s +50%
mlk_keccakf1600_xor_bytes (big endian) 3s 1s +200%
mlk_keccakf1600x4_xor_bytes 3s 3s +0%
mlk_matvec_mul 3s 3s +0%
mlk_montgomery_reduce 3s 2s +50%
mlk_poly_cbd_eta1 3s 4s -25%
mlk_poly_decompress_dv 3s 2s +50%
mlk_poly_getnoise_eta1122_4x 3s 1s +200%
mlk_poly_getnoise_eta1_4x 3s 2s +50%
mlk_poly_getnoise_eta2 3s 3s +0%
mlk_poly_mulcache_compute_c 3s 4s -25%
mlk_poly_tobytes 3s 2s +50%
mlk_poly_tomont 3s 3s +0%
mlk_poly_tomont_native 3s 3s +0%
mlk_poly_tomsg 3s 3s +0%
mlk_polyvec_invntt_tomont 3s 2s +50%
mlk_polyvec_mulcache_compute 3s 3s +0%
mlk_polyvec_ntt 3s 1s +200%
mlk_rej_uniform 3s 1s +200%
mlk_scalar_decompress_d10 3s 1s +200%
mlk_scalar_signed_to_unsigned_q 3s 2s +50%
mlk_shake128_squeezeblocks 3s 1s +200%
mlk_value_barrier_i32 3s 2s +50%
mlk_value_barrier_u32 3s 1s +200%
poly_getnoise_eta1122_4x_native 3s 2s +50%
poly_mulcache_compute_native_aarch64 3s 3s +0%
poly_tomont_native_aarch64 3s 5s -40%
rej_uniform_native 3s 1s +200%
keccak_f1600_x1_native_aarch64 2s 3s -33%
keccak_f1600_x4_native_aarch64_v84a 2s 4s -50%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 2s 2s +0%
mlk_barrett_reduce 2s 1s +100%
mlk_ct_cmask_nonzero_u16 2s 4s -50%
mlk_ct_get_optblocker_u32 2s 2s +0%
mlk_ct_get_optblocker_u8 2s 1s +100%
mlk_ct_memcmp 2s 1s +100%
mlk_ct_sel_int16 2s 2s +0%
mlk_ct_sel_uint8 2s 1s +100%
mlk_keccakf1600_extract_bytes 2s 2s +0%
mlk_keccakf1600_extract_bytes (big endian) 2s 4s -50%
mlk_keccakf1600_xor_bytes 2s 1s +100%
mlk_poly_add 2s 2s +0%
mlk_poly_compress_dv 2s 3s -33%
mlk_poly_frombytes_c 2s 1s +100%
mlk_poly_invntt_tomont_c 2s 2s +0%
mlk_poly_mulcache_compute_native 2s 1s +100%
mlk_poly_ntt 2s 3s -33%
mlk_poly_ntt_c 2s 2s +0%
mlk_poly_reduce 2s 3s -33%
mlk_poly_reduce_c 2s 4s -50%
mlk_poly_tobytes_c 2s 2s +0%
mlk_polyvec_decompress_du 2s 2s +0%
mlk_polyvec_reduce 2s 2s +0%
mlk_polyvec_tobytes 2s 3s -33%
mlk_polyvec_tomont 2s 1s +100%
mlk_scalar_compress_d1 2s 2s +0%
mlk_scalar_compress_d10 2s 3s -33%
mlk_scalar_compress_d5 2s 1s +100%
mlk_scalar_decompress_d4 2s 2s +0%
mlk_sha3_256 2s 5s -60%
mlk_sha3_512 2s 4s -50%
mlk_shake128_absorb_once 2s 1s +100%
mlk_shake128x4_absorb_once 2s 6s -67%
mlk_shake128x4_squeezeblocks 2s 2s +0%
mlk_value_barrier_u8 2s 2s +0%
poly_tobytes_native_aarch64 2s 2s +0%
sys_check_capability 2s 2s +0%
keccak_f1600_x1_native_aarch64_v84a 1s 2s -50%
mlk_ct_cmask_neg_i16 1s 4s -75%
mlk_keccakf1600x4_permute 1s 3s -67%
mlk_poly_frombytes 1s 2s -50%
mlk_poly_invntt_tomont 1s 2s -50%
mlk_poly_tobytes_native 1s 4s -75%
mlk_polyvec_basemul_acc_montgomery_cached 1s 3s -67%
mlk_polyvec_compress_du 1s 2s -50%
mlk_scalar_compress_d11 1s 2s -50%
poly_invntt_tomont_native 1s 2s -50%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 1s 4s -75%

@oqs-bot
Copy link
Contributor

oqs-bot commented Jan 18, 2026
edited
Loading

CBMC Results (ML-KEM-1024)

⚠️ Attention Required

Proof Status Current Previous Change
**TOTAL** ⚠️ 2159s 1557s +38.7%
mlk_indcpa_keypair_derand ⚠️ 691s 242s +186%
mlk_poly_reduce_native ⚠️ 21s 12s +75%
Full Results (139 proofs)
Proof Status Current Previous Change
**TOTAL** ⚠️ 2159s 1557s +38.7%
mlk_indcpa_keypair_derand ⚠️ 691s 242s +186%
mlk_indcpa_enc 357s 324s +10%
mlk_keccak_squeezeblocks_x4 126s 115s +10%
mlk_polyvec_add 121s 118s +3%
polyvec_basemul_acc_montgomery_cached_native 119s 107s +11%
mlk_rej_uniform_c 94s 63s +49%
mlk_poly_rej_uniform 45s 36s +25%
mlk_polyvec_basemul_acc_montgomery_cached_c 44s 45s -2%
poly_ntt_native 36s 33s +9%
mlk_ntt_layer 29s 23s +26%
mlk_poly_decompress_dv 23s 25s -8%
mlk_poly_reduce_native ⚠️ 21s 12s +75%
keccakf1600x4_permute_native_x4 18s 18s +0%
mlk_indcpa_dec 15s 19s -21%
mlk_keccak_absorb_once_x4 10s 8s +25%
mlk_poly_rej_uniform_x4 10s 8s +25%
mlk_keccak_squeezeblocks 9s 8s +12%
mlk_ntt_butterfly_block 9s 8s +12%
mlk_poly_sub 9s 9s +0%
kem_dec 8s 9s -11%
mlk_poly_compress_du 8s 7s +14%
mlk_poly_frombytes_native 8s 7s +14%
mlk_fqmul 7s 6s +17%
mlk_gen_matrix 7s 7s +0%
mlk_poly_frommsg 7s 4s +75%
keccakf1600_permute_native 6s 5s +20%
mlk_ct_cmov_zero 6s 2s +200%
mlk_gen_matrix_serial 6s 5s +20%
mlk_invntt_layer 6s 4s +50%
mlk_keccak_squeeze_once 6s 6s +0%
mlk_poly_cbd_eta1 6s 5s +20%
mlk_poly_invntt_tomont 5s 2s +150%
mlk_poly_tomont_c 5s 1s +400%
mlk_polymat_permute_bitrev_to_custom 5s 3s +67%
mlk_scalar_compress_d10 5s 3s +67%
mlk_shake128_squeezeblocks 5s 2s +150%
poly_tomont_native_aarch64 5s 3s +67%
intt_native_aarch64 4s 3s +33%
mlk_ct_cmask_neg_i16 4s 1s +300%
mlk_keccak_absorb_once 4s 4s +0%
mlk_keccakf1600_permute 4s 5s -20%
mlk_poly_getnoise_eta1122_4x 4s 1s +300%
mlk_poly_getnoise_eta1_4x 4s 2s +100%
mlk_poly_getnoise_eta2 4s 2s +100%
mlk_poly_mulcache_compute_c 4s 2s +100%
mlk_shake256x4 4s 4s +0%
mlk_value_barrier_u8 4s 4s +0%
poly_invntt_tomont_native 4s 2s +100%
poly_mulcache_compute_native_aarch64 4s 2s +100%
poly_tobytes_native_aarch64 4s 1s +300%
polyvec_basemul_acc_montgomery_cached_k4_native_aarch64 4s 2s +100%
rej_uniform_native 4s 3s +33%
keccak_f1600_x1_native_aarch64_v84a 3s 2s +50%
keccak_f1600_x4_native_aarch64_v8a_scalar_hybrid 3s 4s -25%
kem_check_pk 3s 2s +50%
kem_check_sk 3s 3s +0%
kem_enc 3s 3s +0%
kem_enc_derand 3s 4s -25%
kem_keypair 3s 2s +50%
kem_keypair_derand 3s 2s +50%
mlk_barrett_reduce 3s 1s +200%
mlk_check_pct 3s 4s -25%
mlk_ct_get_optblocker_u32 3s 3s +0%
mlk_ct_sel_int16 3s 3s +0%
mlk_keccakf1600_extract_bytes 3s 2s +50%
mlk_keccakf1600_extract_bytes (big endian) 3s 5s -40%
mlk_montgomery_reduce 3s 2s +50%
mlk_poly_add 3s 2s +50%
mlk_poly_compress_dv 3s 4s -25%
mlk_poly_frombytes 3s 1s +200%
mlk_poly_invntt_tomont_c 3s 3s +0%
mlk_poly_ntt 3s 3s +0%
mlk_poly_ntt_c 3s 3s +0%
mlk_poly_tobytes 3s 3s +0%
mlk_poly_tomont 3s 2s +50%
mlk_polyvec_basemul_acc_montgomery_cached 3s 3s +0%
mlk_polyvec_decompress_du 3s 3s +0%
mlk_polyvec_mulcache_compute 3s 4s -25%
mlk_polyvec_permute_bitrev_to_custom_native 3s 3s +0%
mlk_polyvec_reduce 3s 3s +0%
mlk_polyvec_tomont 3s 3s +0%
mlk_rej_uniform 3s 1s +200%
mlk_scalar_compress_d11 3s 1s +200%
mlk_scalar_compress_d5 3s 2s +50%
mlk_scalar_decompress_d11 3s 3s +0%
mlk_scalar_signed_to_unsigned_q 3s 3s +0%
mlk_value_barrier_i32 3s 2s +50%
ntt_native_aarch64 3s 2s +50%
poly_getnoise_eta1122_4x_native 3s 2s +50%
rej_uniform_native_aarch64 3s 3s +0%
sys_check_capability 3s 2s +50%
keccak_f1600_x1_native_aarch64 2s 3s -33%
keccak_f1600_x4_native_aarch64_v84a 2s 2s +0%
keccak_f1600_x4_native_aarch64_v8a_v84a_scalar_hybrid 2s 2s +0%
mlk_ct_cmask_nonzero_u16 2s 2s +0%
mlk_ct_get_optblocker_i32 2s 3s -33%
mlk_ct_get_optblocker_u8 2s 3s -33%
mlk_ct_memcmp 2s 3s -33%
mlk_ct_sel_uint8 2s 4s -50%
mlk_keccakf1600_xor_bytes (big endian) 2s 2s +0%
mlk_keccakf1600x4_extract_bytes 2s 4s -50%
mlk_keccakf1600x4_permute 2s 1s +100%
mlk_matvec_mul 2s 3s -33%
mlk_poly_cbd_eta2 2s 2s +0%
mlk_poly_decompress_du 2s 1s +100%
mlk_poly_getnoise_eta1_4x_native 2s 1s +100%
mlk_poly_mulcache_compute 2s 2s +0%
mlk_poly_mulcache_compute_native 2s 1s +100%
mlk_poly_reduce_c 2s 2s +0%
mlk_poly_tobytes_c 2s 2s +0%
mlk_poly_tobytes_native 2s 1s +100%
mlk_poly_tomont_native 2s 2s +0%
mlk_poly_tomsg 2s 1s +100%
mlk_polyvec_compress_du 2s 4s -50%
mlk_polyvec_frombytes 2s 3s -33%
mlk_polyvec_invntt_tomont 2s 3s -33%
mlk_polyvec_ntt 2s 3s -33%
mlk_polyvec_permute_bitrev_to_custom 2s 2s +0%
mlk_polyvec_tobytes 2s 5s -60%
mlk_scalar_compress_d1 2s 3s -33%
mlk_scalar_decompress_d4 2s 1s +100%
mlk_sha3_256 2s 1s +100%
mlk_sha3_512 2s 2s +0%
mlk_shake128x4_absorb_once 2s 2s +0%
mlk_shake128x4_squeezeblocks 2s 2s +0%
mlk_value_barrier_u32 2s 2s +0%
polyvec_basemul_acc_montgomery_cached_k2_native_aarch64 2s 2s +0%
polyvec_basemul_acc_montgomery_cached_k3_native_aarch64 2s 3s -33%
mlk_ct_cmask_nonzero_u8 1s 3s -67%
mlk_keccakf1600_xor_bytes 1s 2s -50%
mlk_keccakf1600x4_xor_bytes 1s 5s -80%
mlk_poly_frombytes_c 1s 3s -67%
mlk_poly_reduce 1s 1s +0%
mlk_scalar_compress_d4 1s 3s -67%
mlk_scalar_decompress_d10 1s 2s -50%
mlk_scalar_decompress_d5 1s 2s -50%
mlk_shake128_absorb_once 1s 4s -75%
mlk_shake256 1s 2s -50%
poly_reduce_native_aarch64 1s 2s -50%

@hanno-becker hanno-becker force-pushed the randombytes branch 2 times, most recently from 6d5ceed to efec853 Compare January 18, 2026 05:37
@hanno-becker
Copy link
Contributor

hanno-becker commented Jan 18, 2026

@L-series could you also incorporate pq-code-package/mldsa-native#864 ?

@L-series
API: add failure mode support for randombytes()
7e89227 
Change randombytes() to return int (0 on success, non-zero on failure)
instead of void, allowing callers to detect and handle RNG failures.

This commit:

* Updates function signatures.
* All call sites to check return values.
* Changes test files to use CHECK macro.
* Adds documentation of the new failure mode to sign.h and
  mlkem_native.h
* Adds a new error code MLK_ERR_RNG_FAIL.
* Declares src/randombytes with MLK_MUST_CHECK_RETURN_VALUE.

Signed-off-by: Andreas Hatziiliou <[email protected]>
@L-series
testing: add rng failure test
6853aba 
Tests that crypto_kem_enc and crypto_kem_keypair,
correctly return MLD_ERR_RNG_FAIL when randombytes()
fails. We systematically inject failures at each
invocation point. This test is based off the work from
the test_alloc implementation.

Signed-off-by: Andreas Hatziiliou <[email protected]>
@L-series
Copy link
Contributor Author

L-series commented Jan 19, 2026

@L-series could you also incorporate pq-code-package/mldsa-native#864 ?

Done!

@L-series
testing: add rng failure test to CI
e5bcb83 
Add the rng failure test to the CI.

Signed-off-by: Andreas Hatziiliou <[email protected]>
hanno-becker
hanno-becker reviewed Jan 20, 2026
View reviewed changes
.github/actions/config-variations/action.yml
extra_env: 'ASAN_OPTIONS=detect_leaks=1'
examples: false # Some examples use a custom config themselves
alloc: false # Requires custom config
rng_fail: false # Requires custom config
Copy link
Contributor

@hanno-becker hanno-becker Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not true anymore?

hanno-becker
hanno-becker reviewed Jan 20, 2026
View reviewed changes
.github/workflows/baremetal.yml
examples: false
stack: false
alloc: ${{ matrix.target.alloc }}
rng_fail: false
Copy link
Contributor

@hanno-becker hanno-becker Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be set to true if we incorporate pq-code-package/mldsa-native#900

hanno-becker
hanno-becker reviewed Jan 20, 2026
View reviewed changes
test/mk/components.mk
Comment on lines +121 to +126
# Special rule for test_rng_fail - link against rng_fail libraries with custom randombytes config
define ADD_SOURCE_RNG_FAIL
$(BUILD_DIR)/$(1)/bin/test_rng_fail$(subst mlkem,,$(1)): LDLIBS += -L$(BUILD_DIR) -l$(1)
$(BUILD_DIR)/$(1)/bin/test_rng_fail$(subst mlkem,,$(1)): $(BUILD_DIR)/$(1)/test/src/test_rng_fail.c.o $(BUILD_DIR)/lib$(1).a
endef

Copy link
Contributor

@hanno-becker hanno-becker Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you follow pq-code-package/mldsa-native#900 here?

hanno-becker
hanno-becker requested changes Jan 20, 2026
View reviewed changes
Copy link
Contributor

@hanno-becker hanno-becker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @L-series!

The rng_fail test no longer requires a custom config so can be run in more contexts.

We also need to include pq-code-package/mldsa-native#900 which enables rng_fail for baremetal contexts, and should add it to the baremetal CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hanno-becker hanno-becker hanno-becker requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@hanno-becker hanno-becker

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@L-series @hanno-becker @oqs-bot